Homomorphic Signatures and Network Coding Signatures

ABSTRACT

The subject disclosure is directed towards a technology by which data is securely distributed using a homomorphic signature scheme and homomorphic network coding signature schemes. A homomorphic signature scheme for signing the data is based upon binary pairing with standard prime order groups. Sets of data are signed based upon dividing a larger block of data into smaller blocks, and separately signing each smaller block. The smaller blocks may be distributed to nodes of a network topology that are configured for network coding. In one alternative, the homomorphic signature scheme protects against changes to the block identifier. Proof data may be provided independent of a random oracle, may be provided by providing parameters for verification in a Groth-Sahai proof system, or may be provided by providing parameters for verification independent of a Groth-Sahai proof system.

BACKGROUND

Network coding refers to data packet routing techniques that may be usedinstead of ‘store and forward’ networking techniques. In general,network coding is performed at network nodes to combine incoming packetsinto coded packets before transmitting those coded packets to arecipient node or nodes. The combination of data is such that eachrecipient node is able to recover the original data from less than allreceived packets. Network coding thus provides improved resilience topacket loss, and moreover, increases throughput for certain classes ofnetwork topologies.

More particularly, at each node, the outgoing packets contain vectorsthat are calculated as a linear combination of vectors conveyed byincoming packets. With random linear network coding, packets arecombined using coefficients that each node chooses at random. Arecipient node is able to recover the original data from any set (ofsufficient cardinality) of linearly independent vectors and withoutprior knowledge of the coefficients chosen by the intermediate nodes.Linear network codes offer robustness, adaptability and thus offerbenefits in many practical applications, e.g., in wireless and sensornetworks.

However, network coding is highly sensitive to pollution attacks, inwhich malicious nodes inject corrupted packets (e.g., one or morepackets outside of the linear span of received packets) into thenetwork, which prevents the recipient node from recovering the originalfile. Because nodes perform linear transformation over the incomingnodes, even a single corrupted packet is likely to contaminate theentire network and eventually hinder the decoding process. Intermediatenon-malicious nodes thus need a way to verify the validity of incomingpackets and filter out the bad ones. Packets cannot be authenticatedusing traditional digital signature schemes, because the transmittedpackets need to be modified by the network nodes and thus cannot besimply signed by the source. In sum, traditional digital signatureschemes fail in situations where a digital signature on arbitrarilycombined packets needs verification, assuming that the total cost ofverifying independent signatures is costlier than verifying a singlecombined signature on a target node.

SUMMARY

This Summary is provided to introduce a selection of representativeconcepts in a simplified form that are further described below in theDetailed Description. This Summary is not intended to identify keyfeatures or essential features of the claimed subject matter, nor is itintended to be used in any way that would limit the scope of the claimedsubject matter.

Briefly, various aspects of the subject matter described herein aredirected towards a technology by which data is securely distributedusing a homomorphic signature scheme, in which the homomorphic signaturescheme for signing the data is based upon binary pairing with standardprime order groups. In one aspect, the sets of data are signed basedupon dividing a larger block of data into smaller blocks, and separatelysigning each smaller block. The smaller blocks may be distributed tonodes of a network topology that are configured for network codingcombinations of a subset of the smaller blocks. In one alternative, eachof the blocks may contain information corresponding to a blockidentifier, and the homomorphic signature scheme protects againstchanges to the block identifier.

In one aspect, proof data is provided independent of a random oracle. Inone alternative, proof data is provided by providing parameters forverification in a Groth-Sahai proof system. In one alternative, proofdata is provided by providing parameters for verification independent ofa Groth-Sahai proof system.

Other advantages may become apparent from the following detaileddescription when taken in conjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 is a representation of a network configured for distributing datavia a network topology in which nodes are configured for network coding.

FIG. 2 is a block diagram representing how a homomorphic signaturescheme as described herein may be used with network coding to verifydata integrity.

FIG. 3 is a flow diagram representing example steps that may be taken toprocess received data for verification and network coding using ahomomorphic signature scheme as described herein.

FIG. 4 is a block diagram representing an example computing environmentinto which aspects of the subject matter described herein may beincorporated.

DETAILED DESCRIPTION

Various aspects of the technology described herein are generallydirected towards a homomorphic signature scheme and homomorphic networkcoding signature schemes. These schemes allow for signing of packets ina way that may be used to detect corrupted packets, and thereby reducethe harm of pollution attacks.

Described herein are a homomorphic signature scheme and constructionsfor homomorphic network coding signature schemes. These schemes aresecure in the standard model (as opposed to the Random Oracle basedsecurity of previous schemes). Additionally, these schemes do notrequire a special composite order pairing group, (as does the only otherknown scheme with security in the standard model does), therebyexpanding the applicability to any pairing friendly group and makingdesigns general to any pairing friendly group.

It should be understood that any of the examples herein arenon-limiting. As such, the present invention is not limited to anyparticular embodiments, aspects, concepts, structures, functionalitiesor examples described herein. Rather, any of the embodiments, aspects,concepts, structures, functionalities or examples described herein arenon-limiting, and the present invention may be used various ways thatprovide benefits and advantages in computing and networking/networksecurity in general.

Turning to FIG. 1, a plurality of nodes that route network data isshown. As can be readily appreciated, the arrangement of the depictednodes is only an example, and the technology described herein applies toany practical number and/or arrangement of nodes. Further, the path orpaths taken by a network packet may be arbitrary, and FIG. 1 is only anexample of such paths.

In FIG. 1, a source node 102, which may be any computing device capableof sending data (including a computer system, a router or the like) issending data (e.g., a file) to one or more destination nodes, shown forsimplicity in FIG. 1 as a single target node 104. The target node 104may be any computing device capable of receiving data. Note that in anactual network there may be more than one source node using the network,and there may be more than one target node, however only one of each isshown for purposes of simplicity.

As is known, to transmit a large file or the like, the source node 102may segment the data into smaller packages, which for purposes of theexample herein are referred to as data packets. Various decisions may bemade by the source node to select which node or nodes traffic is to berouted, providing a distributed system/distribution scheme.

In the example topology of FIG. 1, the source node 102 is coupled tointermediate nodes IN1-IN4 and distributes the data packets (e.g., of afile) to these intermediate nodes IN1-IN4. The intermediate nodesIN1-IN4 in turn are coupled to other intermediate nodes IN5-IN8, whichin turn are coupled to other intermediate nodes IN9-IN12 that arecoupled to the target node 104 in this example topology. In the exampleof FIG. 1, packets from the source node 102 are received at intermediatenodes IN1-IN4. The intermediate nodes IN1 and IN2 distribute theirreceived packets to IN6, IN3 distributes its received packets to IN7,and IN4 distributes its received packets to IN8. In turn, theintermediate nodes IN6, IN7 and IN8 distribute packets to theintermediate node IN11.

Any of the packets corresponding to the same file may be coded usingnetwork coding before transmitting those coded packets to a recipientnode, which helps with resilience to packet loss and can improvethroughput. However, consider that in FIG. 1, the intermediate node IN6is a malicious node (as indicated by the bordered box) that injects oneor more corrupt packets into the network, which the node IN11 receives.Heretofore the intermediate node IN11 was unable to detect such packets,whereby some of the packets received at the target node 104 are thuscorrupted. If as described herein such corrupted packets are detectable,they are able to be filtered out, whereby it is highly likely that thetarget node 104 is able to reconstruct the original data. However,traditional signature schemes cannot be used for such detection.

Described herein are a homomorphic signature scheme and constructionsfor homomorphic network coding signature schemes by which corruptedcoded packets can be detected. As will be understood, each scheme hasdifferent characteristics that make them applicable to variousscenarios. For example, one homomorphic network coding signature schemedescribed herein is secure in a stronger security model where theattacker can choose the data (e.g., file) identifier (in contrast toprevious schemes that were not secure when the attacker can choose thedata identifier). Another homomorphic network coding signature scheme issecure in a weaker security model (thus is more secure), and does notdepend on the Groth-Sahai proof system, which comprises using arelatively complex and computationally-expensive set of equations.

FIG. 2 is an example block/dataflow diagram showing how a source node202 distributes packets P_(HS), signed using signatures 203 of ahomomorphic signature scheme as described herein, to intermediate nodes222 ₁-222 _(N). The intermediate nodes may combine multiple packets, ifreceived, digitally sign them with a homomorphic signature, andsend/distribute them to other nodes. In the example of FIG. 2, at leastone other intermediate node 224 receives the packets.

In FIG. 2, components of the illustrated intermediate node 224 (whichare also in intermediate nodes 222 ₁and 222 _(N), but not shown forsimplicity) are able to use public information received with each packetto authenticate the signatures. Any non-verified packets are discarded,as represented by the signature checking filter 226. Authenticatedpackets 228 may be network coded/signed with a homomorphic signaturescheme as represented via the block 230, resulting in coded homomorphicsigned packets 232.

These coded packets, possibly along with other packets from otherintermediate nodes, are received at the final destination node, shown asthe target node 204. A signature checking filter 236 is used to filterout non-verified packets resulting in authenticated packets 238. Theauthenticated packets may be used to reconstruct the original file data.

FIG. 3 is an example flow diagram showing example steps directed towardsdigital signatures for network coding, that is, the distribution schememay be a network coding distribution scheme. A source provides a set ofdata by dividing the data into blocks and digitally signing each blockwith respective homomorphic digital signatures 203 (FIG. 2). This may beaccomplished as described in U.S. published patent application no.20070118746, hereby incorporated by reference.

At step 302, a node receives one or more of the distributed linearcombination of packets, including public information. At steps 304 and306, the recipient node authenticates and verifies and content in eachreceived packet using the public information. Any packet that is notverified may be discarded, as represented via step 308.

If the recipient node is not the final destination (target node) asrepresented by step 310, at step 312 the recipient node combines packetsand signs them with a signature based upon the received signatures. Therecipient node thus digitally re-signs the valid packets withoutcommunicating back to the previous source. The recipient node may thendistribute (step 314) the re-signed, combined packets along withassociated public information used to digitally sign the blocks, to anext recipient device.

At some point in a typical transmission, at step 310 a node that is thefinal destination will receive the packets. At step 316, these packetsmay then be decoded and used to reassemble the original data block(e.g., file). Note that invalid packets are discarded, and the receiveddata is not corrupted, whereby secure network coding is provided despitemalicious intermediate nodes.

One homomorphic signature scheme described herein is based on theGroth-Sahai proof system and is secure in the standard model. Thisscheme does not require a special composite pairing group (as withprevious schemes), and instead works on any pairing group such aspairing friendly Elliptic Curve Groups.

Turning to network coding, consider a network as represented in FIG. 1with one source node 102 and a target node 104 (or a set of targetnodes). A general goal in this example is to have the source nodetransmit a file to the target node, where a file is represented as amatrix comprising m row vectors {right arrow over (v)}₁, . . . , {rightarrow over (v)}_(m)∈

_(N) ^(k) over a field

_(N). Initially, the source node creates m augmented vectors {rightarrow over (w)}₁, . . . , {right arrow over (w)}_(m)∈

_(N) ^(n), with n=k+m, by setting

$\begin{matrix}{\begin{pmatrix}{\overset{\rightarrow}{w}}_{1} \\{\overset{\rightarrow}{w}}_{2} \\\vdots \\{\overset{\rightarrow}{w}}_{m}\end{pmatrix} = {\left( {\begin{matrix}{\overset{\rightarrow}{v}}_{1} \\{\overset{\rightarrow}{v}}_{2} \\\vdots \\{\overset{\rightarrow}{v}}_{m}\end{matrix}\begin{matrix}\begin{matrix}\begin{matrix}{10\mspace{14mu} \ldots \mspace{14mu} 0} \\{01\mspace{14mu} \ldots \mspace{14mu} 0}\end{matrix} \\\ddots\end{matrix} \\{00\mspace{14mu} \ldots \mspace{14mu} 1}\end{matrix}} \right).}} & (1)\end{matrix}$

The source node 102 sends these augmented vectors to its neighboringnodes, shown in the example of FIG. 1 as intermediate nodes IN1-IN4. Thespan of row vectors of the above matrix generates a vector subspace V⊂

_(N) ^(n) of dimension m with basis {right arrow over (w)}₁, . . . ,{right arrow over (w)}_(m). Note that when the basis is in the formcorresponding to the right hand side of Equation (1), the basis iscalled a properly augmented basis.

Intermediate nodes IN1-IN4 in the network receive the vectors {rightarrow over (y)}₁, . . . , {right arrow over (w)}_(l)∈

_(N) ^(n) on its l incoming edges. Each non-malicious (“honest”)intermediate node computes a new vector for each outgoing edge as arandom linear combination of the vectors it received. Namely, at thej^(th) outgoing edge, the vector {right arrow over (z)}_(j)∈

_(N) ^(n) has the form {right arrow over (z)}_(j)=Σ_(i=1)^(l)α_(i,j){right arrow over (y)}_(i), for random coefficients (α_(1,j),. . . , α_(l,j))∈

_(N) ^(l).

The target node 104 recovers the file using a set of vectors from itsincoming edges. The target node 104 finds m linearly independent vectors{{right arrow over (y)}_(i)={right arrow over (x)}_(i)∥{right arrow over(u)}_(i)}_(i=1) ^(m) where {right arrow over (u)}₁, . . . , {right arrowover (u)}_(m) are linearly independent (here {right arrow over (x)}_(i)∈

_(N) ^(k), {right arrow over (u)}_(i)∈

_(N) ^(m)). The original file is then recovered as

${\begin{pmatrix}{\overset{\rightarrow}{v}}_{1} \\{\overset{\rightarrow}{v}}_{2} \\\vdots \\{\overset{\rightarrow}{v}}_{m}\end{pmatrix} = {\begin{pmatrix}{\overset{\rightarrow}{u}}_{1} \\{\overset{\rightarrow}{u}}_{2} \\\vdots \\{\overset{\rightarrow}{u}}_{m}\end{pmatrix}^{- 1} \cdot \begin{pmatrix}{\overset{\rightarrow}{x}}_{1} \\{\overset{\rightarrow}{x}}_{2} \\\vdots \\{\overset{\rightarrow}{x}}_{m}\end{pmatrix}}},$

which is computable as {right arrow over (u)}₁, . . . , {right arrowover (u)}_(m) are linearly independent.

The above-described network coding scheme is highly susceptible toattacks. Due to error propagation, even a single malicious (“dishonest”)intermediate node (e.g., IN6, represented in FIG. 1 by the double box)can succeed in disrupting the transmission of the correct file.Traditional signature schemes by which authenticity of the data can bevalidated are not particularly helpful in this scenario, as honest nodesneed to generate signatures for a random combination of receivedvectors.

A homomorphic network coding signature scheme as described herein solvesthis problem. With homomorphic signatures, given a set of vectors andtheir signatures, the signature of any vector that is spanned by thegiven set of vectors may be efficiently computed. However, generating asignature for any vector outside the spanned subspace is difficult.Moreover homomorphic network coding signatures ensure that intermediatenodes can only combine vectors from the same file.

Turning to one homomorphic network signature scheme, informally eachvector that is signed is part of a file, which has a file identifier.For a fixed file identifier, the signatures have (or should have) thehomomorphic property. However, the signatures of vectors associated withdifferent file identifiers are not (or should not) be able to becombined.

More formally, a homomorphic network signature scheme is a tuple ofefficient algorithms Σ=(Keygen, Sign, Verify, Combine) where Keygen(λ,n)is a probabilistic algorithm that takes as input a security parameter λ∈

and an integer n∈poly(λ) denoting the length of the vectors to besigned. The algorithm outputs the public key, secret key pair (pk,sk).Sign(pk,sk,{right arrow over (m)},id) is a possibly randomized algorithmthat takes public key, secret key pair (pk,sk), a vector {right arrowover (m)} of dimension n, a file identifier id and outputs a signatureσ.

Verify(pk,id,{right arrow over (m)},σ) is a deterministic algorithm thattakes the public key pk, a signature σ and a vector {right arrow over(m)}. This algorithm outputs Accept or Reject.Combine(pk,{(β_(i),σ_(i))}_(i=1) ^(l)) is a possibly randomizedalgorithm that takes as input the public key pk, and l signatures σ_(i)with corresponding weight β_(i). The output is a signature σ on thevector {right arrow over (y)}=Σ_(i=1) ^(lβ) _(i){right arrow over(v_(i))}, where σ_(i) is a signature on {right arrow over (v_(i))}. Thevectors {right arrow over (v_(i))}and the combined vector {right arrowover (y)} shares a common file identifier id.

With respect to correctness, for the security parameters λ∈N, allintegers n∈poly(λ) and all tuples (pk,sk)←Keygen(λ,n), the followingholds.

-   -   1. For any n-vector {right arrow over (m)}, and file identifier        id if σ←Sign(pk,sk,id,{right arrow over (m)}) then        Verify(pk,id,{right arrow over (m)},σ)→Accept.    -   2. Suppose σ_(i)'s are valid signatures for vectors {right arrow        over (m_(i))}'s with file identifier id (in other words        Verify(pk,id,{right arrow over (m_(i))},σ_(i))→Accept) for i=1,        . . . , l. Then, for any set of scalars β₁, . . . , β_(l),        Verify(pk,id,{right arrow over (y)},σ)→Accept where        Combine(pk,{(β_(i),σ_(i))}_(i=1) ^(l))→σ and {right arrow over        (y)}=Σ_(i=1) ^(l){right arrow over (m_(i))}.

Turning to a security model for network coding signatures which is anatural extension of unforgeability against chosen message attack(UCMA), a homomorphic network signature scheme Σ=(Keygen, Sign, Verify,Combine) is considered to be secure if any probabilistic polynomial timeadversary (PPT) has negligible advantage (as a function of the securityparameter λ∈

) in the following game:

-   -   1. The adversary        chooses an integer n∈        (polynomial in terms of the security parameter λ) and sends it        to the challenger. The challenger runs Keygen(λ,n), obtains        (pk,sk) and sends pk to    -   2. For i=1, . . . , t,        -   chooses a k_(i)-dimensional vector space V_(i)=Span{{right            arrow over (m)}_(i,1), . . . , {right arrow over (m)}_(i,k)            _(i) }⊂ Z_(p) ^(n) and and sends {{right arrow over (m)}₁            ^(i), . . . , {right arrow over (m)}_(k) _(i) ^(i)} to the            challenger. The challenger chooses a random id_(i)∈            _(p), returns id_(i) and {σ_(j)            ^(i)←Sign(pk,sk,id_(i),{right arrow over (m)}_(j)            ^(i))}_(j=1) ^(k) ^(i) to            .    -   3. The adversary        outputs a file identifier, message, signature tuple (id,{right        arrow over (m)},σ) and wins if        -   (a) either of the following holds,            -   id≠id_(i) for all i∈[1,t]            -   id≠id_(i*) for some i*∈[i,t], {right arrow over                (m)}∉V_(i*)        -   (b) σ is a valid signature for the file identifier id and            the vector {right arrow over (m)}, in other words            Verify(pk,id,{right arrow over (m)},σ)→Accept.

Further described herein is a stronger security model. While queryingsignatures for message vectors, the adversary can specify the fileidentifier on its own. A homomorphic network signature scheme Σ=(Keygen,Sign, Verify, Combine) is considered to be secure in the strongersecurity model if any probabilistic polynomial time adversary (PPT) hasnegligible advantage (as a function of the security parameter λ∈

) in the following game:

-   -   1. The adversary        chooses an integer n∈        (polynomial in terms of the security parameter λ) and sends it        to the challenger. The challenger runs Keygen(λ,n), obtains        (pk,sk) and sends pk to        2. For i=1, . . . , t,        -   (c)            chooses a n-dimensional vector {right arrow over (m_(i))}            and a file identifier id_(i) on his own and sends            (id_(i),{right arrow over (m_(i))}) to the challenger. The            challenger returns σ_(i)←Sign(pk,sk,id_(i),{right arrow over            (m_(i))}) to    -   3. Adversary        outputs a file identifier, message, signature tuple (id,{right        arrow over (m)},σ) and wins if        -   (a) {right arrow over (m)} can not be expressed as a linear            combination of the vectors {right arrow over (m_(j) ₁ )}, .            . . , {right arrow over (m_(j) _(k) )}, where adversary has            made the queries (id,{right arrow over (m_(j) _(s) )}) (for            1≦s≦k) to the challenger in the first phase.        -   (b) σ is a valid signature for the file identifier id and            the vector {right arrow over (m)}, in other words            Verify(pk,id,{right arrow over (m)},σ)→Accept.

Turning to a construction of Keygen(λ,n):

-   Define gk=(p,G₁,G₂,G_(T),e,    ₁,    ₂). G₁ and G₂ are cyclic groups of order p generated by    ₁,    ₂ respectively. e is a bilinear pairing G₁×G₂→G_(T). Map F:G₁ ²×G₂    ²→G_(T) ⁴ is defined as:

${F\left( {\left( {X_{1},X_{2}} \right),\left( {Y_{1},Y_{2}} \right)} \right)} = {\left( {\begin{matrix}{e\left( {X_{1},Y_{1}} \right)} \\{e\left( {X_{2},Y_{1}} \right)}\end{matrix}\begin{matrix}{e\left( {X_{1},Y_{2}} \right)} \\{e\left( {X_{2},Y_{2}} \right)}\end{matrix}} \right).}$

-   Choose α₁,α₂,t₁,t₂←    _(p)* at random. Define,

{right arrow over (u)}=(u ₁ ,u ₂)^(T), where u ₁=(

₁,α₁

₁), u ₂ =t ₁ u ₁,

{right arrow over (v)}=(v ₁ ,v ₂)^(T), where v ₁=(

₂,α₂

₂), v ₂ =t ₂ v ₁.

-   Define the maps l′ ₁:Z_(p)→G₁ ² and t₂:G₂→G₂ ² as follows.

l′ ₁(z)=zu, where u=u ₂+(

,

₁) amd t₂(

)=(

).

-   Choose {right arrow over (x)}=(x₁, . . . , x_(n))^(T),{right arrow    over (r)}=(r₁, . . . , r_(n))^(T), ←    _(p) ^(n) at random, Define

{right arrow over (c)}=−l′ ₁({right arrow over (x)})+{right arrow over(r)}u ₁, where l′ ₁({right arrow over (x)})=(l′ ₁(x ₁), . . . , l ₁(x_(n)))^(T).

-   Output pk=(gk,{right arrow over (u)},{right arrow over (v)},{right    arrow over (c)}) as public key and sk=({right arrow over (x)},{right    arrow over (r)}) as secret key.-   A construction of Sign(pk,sk,{right arrow over (m)}=(m₁, . . . ,    m_(n))^(T)) is:-   Given a message {right arrow over (m)}∈    _(p) ^(n), define {right arrow over (M)}=(m₁    ₂, . . . , m_(n)    ₂)^(T). Solve for, Y∈G₂, s.t.

Y−{right arrow over (x)} ^(T) ·{right arrow over (M)}=0.

-   Choose S←Mat_(1×2)(    _(p)), T←Mat_(2×1)(    _(p)) randomly and evaluate the following.

d=l ₂(Y)+S{right arrow over (v)}.

π={right arrow over (r)} ^(T) _(l) ₂ ({right arrow over (M)})−T ^(T){right arrow over (v)}.

{right arrow over (Θ)}=S ^(T) _(l) ₁ _(′)(1)+Tu ₁

-   Output σ=(d,π,{right arrow over (Θ)}) as signature of {right arrow    over (m)}.-   A construction of Verify(pk,{right arrow over (m)}=(m₁, . . . ,    m_(n))^(T), σ=(d,π,{right arrow over (Θ)}) is:-   For vectors {right arrow over (p)}=(p₁, . . . , p_(k))^(T)∈(G₁    ²)^(k) {right arrow over (q)}=(q₁, . . . , q_(k))^(T)∈(G₂ ²)^(k),    the operation ·:(G₁ ²)^(k)×(G₂ ²)^(k)→G_(T) ⁴ (for any k∈    ) is defined as:

${{\overset{\rightarrow}{p}}^{T} \cdot \overset{\rightarrow}{q}} = {\sum\limits_{i = 1}^{k}\; {{F\left( {p_{i},q_{i}} \right)}.}}$

-   Define {right arrow over (M)}={right arrow over (m)}    ₂ and output Accept if the following equation holds, otherwise    Reject.

F(l₁′(1), d)+{right arrow over (c)}·l ₂({right arrow over (M)})=F(u₁,π)+{right arrow over (Θ)}·{right arrow over (v)},

A construction if Combine(pk,{(β_(i),σ_(i)=(d_(i),π_(i),{right arrowover (Θ_(i))}))}_(i=1) ^(l)) is:

-   Output σ=(Σ_(i=1) ^(l)β_(i)d_(i),Σ_(i=1) ^(l)β_(i)π_(i),Σ_(i=1)    ^(l)β_(i){right arrow over (Θ_(i))}).

Security of the above signature scheme is based on the followingassumption. Consider groups (G₁,G₂,G_(T)) of prime order p, for which abilinear pairing e:G₁×G₂→G_(T) is computable. Also, for anyn-dimensional vector {right arrow over (x)}=(x₁, . . . , x_(n))^(T) over

_(p),

₁∈G₁ and

₂∈G₂, define and oracle

(·) which on input an n-dimensional vector {right arrow over (m)}=(m₁, .. . , m_(n))^(T) over

_(p) returns x₁m₁

₂+ . . . +x_(n)m_(n)

₂.

Assumption 1. For any n∈

(polynomial in terms of the security parameter λ), let {right arrow over(x)} be a random vector of dimension n over

_(p). and

₁,

₂ be the generators of the groups G₁, G₂. Given

₁,

₂,G₁,G₂,G_(T),e,p,{right arrow over (x)}

₁ and oracle access to

(·), it is infeasible to output an n-dimensional vector {right arrowover (m)}32 (m₁, . . . , m_(n))^(T) over

_(p) and Y∈G₂ s.t.

-   -   1. {right arrow over (m)} can not be expressed as linear        combination of the vectors queried to the oracle        (·) and,        -   2. Y=x₁m₁            ₂+ . . . +x_(n)m_(n)            ₂.

By way of proof, suppose there exists an adversary

that breaks the security (as defined above) of the scheme with advantageε (non-negligible in terms of the security parameter λ). An algorithm

with black box access to

which breaks Assumption 1 with advantage ε, is constructed.

-   Algorithm    :-   Input:    ₁,    ₂,G₁,G₂,G_(T),e,p,{right arrow over (x)}    ₁ and oracle access to    (·).-   Output: {right arrow over (x)} and Y satisfying condition 1 and 2 in    Assumption 1.

Algorithm

acts as challenger in the security game as depicted above, and simulatesKeygen and Sign such that

can not distinguish between simulated output and original Keygen, Signoutput.

uses the forged signature from

to output ({right arrow over (x)},Y). Below are the SimKeygen andSimSign routines used by algorithm

SimKeygen(λ,n)

The operation proceeds as with Keygen(λ,n), except choosing {right arrowover (x)},{right arrow over (x)}′ on its own, and evaluating l₁′({rightarrow over (x)}) as follows.

$\begin{matrix}{{\iota_{1}^{\prime}\left( \overset{\rightarrow}{x} \right)} = {\overset{\rightarrow}{x}u}} \\{= {\overset{\rightarrow}{x}\left( {u_{2} + \left( {O,P_{1}} \right)} \right)}} \\{= {\overset{\rightarrow}{x}\left( {{t_{1}u_{1}} + \left( {O,P_{1}} \right)} \right)}} \\{= {\overset{\rightarrow}{x}\left( {{t_{1}\left( {P_{1},{\alpha_{1}P_{1}}} \right)} + \left( {O,P_{1}} \right)} \right)}} \\{= {\overset{\rightarrow}{x}{{P_{1}\left( {t_{1},\left( {{\alpha_{1}t_{1}} + 1} \right)} \right)}.}}}\end{matrix}$

Hence public key pk=(gk,{right arrow over (u)},{right arrow over(v)},{right arrow over (c)}) can be output (with gk=(e,G₁,G₂,G_(T),

₁,

₂)). As a secret key, instead of ({right arrow over (x)},{right arrowover (r)}) there is ({right arrow over (x)}

₁,{right arrow over (r)}).

SimSign({right arrow over (m)}=(m ₁ , . . . m _(n))^(T))

As {right arrow over (x)} is not known, Y cannot really be solved.However, the oracle does so; if querying

({right arrow over (m)}) gets back the required Y. Afterwards, followingthe Sign procedure generates valid signature.

-   If    returns a valid forgery, from the commitment d of Y, Y may be    extracted using trapdoor α₂ and break Assumption 1.

Turning to one homomorphic network coding signature scheme describedherein, the scheme uses bilinear pairings on prime order groups. It isprovably secure in the standard model.

For Keygen(λ,n):

-   Define gk=(p,G₁,G₂,G_(T),e,    ₁,    ₂). G₁ and G₂ are cyclic groups of order p generated by    ₁,    ₂ respectively. e is a bilinear pairing G₁×G₂→G_(T). Choose, {right    arrow over (x)},{right arrow over (x)}′∈    _(p) ^(n) c and x_(n+1)∈Z_(p) at random. Publish pk=(gk,{right arrow    over (x)}, P₁,{right arrow over (x)}′P₁,x_(n+1)P₁)as public key and    keep sk=({right arrow over (x)},{right arrow over (x)}′,x_(n+1)) as    secret key.

For Sign (pk,sk,id,{right arrow over (m)}=(m₁, . . . , m_(n))^(T)):

-   Choose {right arrow over (r)}∈Z_(p) ^(n) randomly. Evaluate

$Y = {\frac{\left( {{{\overset{\rightarrow}{m}}^{T} \cdot \overset{\rightarrow}{x}} + {{\overset{\rightarrow}{r}}^{T} \cdot {\overset{\rightarrow}{x}}^{\prime \; T}}} \right)P_{2}}{{id} + x_{n + 1}}.}$

Output σ=(Y,{right arrow over (r)}) as signature of {right arrow over(m)} with file identifier id.

For Verify(pk,id,{right arrow over (m)}=(m₁, . . . , m_(n))^(T),σ=(Y,{right arrow over (r)})):

Output Accept if the following equation holds, otherwise Reject.

e((x _(n+1)

₁)+id

₁ , Y)=e({right arrow over (m)} ^(T)·({right arrow over (x)}

₁)+{right arrow over (r)} ^(T)·({right arrow over (x)}′

),

₂)

For Combine(pk,{(β_(i),σ₁=(Y_(i),{right arrow over (r)}_(i)))}_(i=1)^(l)):

Output σ=(Σ_(i=1) ^(l)β_(i)Y_(i),Σ_(i=1) ^(l)β_(i){right arrow over(e)}_(i)).

-   The homomorphic network coding signature scheme described above, is    secure if the following assumptions are true.

Assumption 2. For any n∈

(polynomial in terms of the security parameter λ), {right arrow over(x)} be a random vector of dimension n over

_(p). x_(n+1) be a random element from Z_(p).

₁,

₂ be the generators of the groups G₁, G₂ of order p, supporting anefficient bilinear pairing e:G₁×G₂→G_(T). Given

₁,

₂,G₁,G₂,G_(T),e,p,{right arrow over (x)}

₁,x_(n+1)

₁ and following t (polynomial in terms of security parameter λ) many(2n−1)-tuples

$\begin{matrix}\begin{matrix}\left( {w_{1}^{1},\ldots \mspace{14mu},w_{n - 1}^{1},w_{n}^{1},{\frac{x_{1} + {w_{1}^{1}x_{n}}}{x_{n + 1} + w_{n}^{1}}P_{2}},\ldots \mspace{14mu},{\frac{x_{n - 1} + {w_{n - 1}^{1}x_{n}}}{x_{n + 1} + w_{n}^{1}}P_{2}}} \right) \\\vdots\end{matrix} \\\left( {w_{1}^{t},\ldots \mspace{14mu},w_{n - 1}^{t},w_{n}^{t},{\frac{x_{1} + {w_{1}^{t}x_{n}}}{x_{n + 1} + w_{n}^{t}}P_{2}},\ldots \mspace{14mu},{\frac{x_{n - 1} + {w_{n - 1}^{t}x_{n}}}{x_{n + 1} + w_{n}^{t}}P_{2}}} \right)\end{matrix}$

where w₁ ^(i), . . . , w_(n) ^(i) are random elements from Z_(p) fori=1, . . . , t; it is infeasible to output

$\frac{x_{n}P_{2}}{x_{n + 1} + w_{n}^{i}}$

for any i∈[1, . . . , t].The previous assumption constitutes the core of the security proof, asit essentially provides the homomorphic property being sought.

Assumption 3. Let x be a random element from Z_(p). Let

₁,

₂ be the generators of the groups G₁,G₂ of order p supporting anefficient bilinear pairing e:G₁×G₂→G_(T). Given

₁,

₂,G₁,G₂,G_(T),e,p,x

₁and the following k (polynomial in terms of security parameter λ) many2-tuples

$\left( {w^{1},\frac{_{2}}{x + w^{1}}} \right),\ldots \mspace{14mu},\left( {w^{k},\frac{_{2}}{x + w^{k}}} \right),$

where w¹, . . . , w^(k) are random elements from Z_(p), it is infeasibleto output

$\left( {w,\frac{_{2}}{x + w}} \right),$

where w∉{w¹, . . . , w^(k)}.

For any forger

breaking the homomorphic network signature scheme from above, define anadversary(simulator)

which breaks either Assumption 2 or Assumption 3. The adversary

uses forger

as black box and needs to simulate challenger responses as in thesecurity game defined above. In the end forger

either returns a forged signature for a file identifier that it hasalready seen (Type-I forgery) or for a new file identifier (Type-IIforgery). Different simulation procedures are described for differenttype of forgeries. In the beginning

chooses a simulation procedure randomly. Even though in the beginning

does not know what kind of forger it is interacting with, it alwayschooses the correct simulation procedure with non-negligibleprobability.

For the type—I forgery, the forger returns (id,m,σ), and id=id_(i), forsome i*∈[i,t]. In step 2 of the security game, for i=1, . . . , t theadversary asked for signatures for a k_(i) dimensional vector spaceV_(i)=Span{{right arrow over (m)}₁, . . . , {right arrow over (m)}_(k)_(i) }. Even though k_(i) is less than or equal to n−1, the simulatorgenerates a random n−1 dimensional vector space V_(i)′⊃V_(i).Afterwards, the simulator generates signatures for V_(i)′. However, itonly gives back signatures corresponding to V_(i) to the forger. Afterthe forger returns a Type-I forgery (id,m,σ), in case m∈V_(i)′ (but notin V_(i)) the simulator aborts. However, adversary

tosses a random coin, and with equal probabilities it tries to breakAssumption 1 or Assumption 2.

For Case I—Breaking Assumption 2, given an instance of Assumption 2problem.

SimKeygen(λ,n)

-   Define gk=(p,G₁,G₂,G_(T),e,    ₁,    ₂). Choose a random diagonal matrix T=diag(t₁, . . . ,    t_(n))∈Mat_(n×n)(    _(p)). Define {right arrow over (x)}′ athcalP₁=T·x    ₁. Output

pk=(gk,{right arrow over (x)}

₁ ,{right arrow over (x)}′

₁ , x _(n+1)

₁)

as a public key, and keep T as secret.

SimSign(V _(i)=Span{{right arrow over (m)} ₁ , . . . , {right arrow over(m)} _(k) _(i) ^(i)})

Choose (n−1−k_(i)) many random messages {right arrow over (m)}_(k) _(i)₊₁ ^(i), . . . , {right arrow over (m)}_(n−1) ^(i). SupposeV_(i)′=Span{{right arrow over (m)}₁ ^(i), . . . , {right arrow over(m)}_(n−1) ^(i)}). Choose a random matrix

$R^{i} = {\begin{bmatrix}r_{1,1}^{i} & \ldots & r_{1,{n - 1}}^{i} \\\vdots & \ddots & \vdots \\r_{{n - 1},1}^{i} & \ldots & r_{{n - 1},{n - 1}}^{i}\end{bmatrix} \in {{{Mat}_{{({n - 1})} \times {({n - 1})}}\left( {\mathbb{Z}}_{p} \right)}.}}$

Abort if R^(i) is non invertible. Define U^(i)=[R^(i)|R^(i)·{right arrowover (w)}^(i)], where {right arrow over (w)}^(i)=(w₁ ^(i), . . . ,w_(n−1) ^(i)).

-   Evaluate {right arrow over (r)}′₁ ^(i), . . . , {right arrow over    (r)}′_(n−1) ^(i) s.t.

[{right arrow over (r)}′ ₁ ^(i) | . . . |{right arrow over (r)}′ _(n−1)^(i)]^(T)=(U ^(i) −[{right arrow over (m)} ₁ ^(i) , . . . , {right arrowover (m)} _(n−1) ^(i)]^(T))·T ⁻¹.

-   Output id_(i)=w_(n) ^(i) and (σ₁ ^(i), . . . , σ_(k) _(i) ^(i))    where,

$\sigma_{j}^{i} = \left( {{\sum\limits_{k = 1}^{n - 1}{\frac{r_{j,k}^{i}\left( {x_{k} + {w_{k}^{i}x_{n}}} \right)}{x_{n + 1} + w_{n}^{i}}_{2}}},{\overset{->}{r}}_{j}^{\prime \; i}} \right)$

for j=1, . . . , k_(i).

If the adversary

returns a forgery (id,{right arrow over (m)},σ) s.t. id∉[w_(n) ¹, . . ., w_(n) ^(t)] Abort. Also, Abort if id=w_(n) ^(i)* and {right arrow over(m)}∈V_(i*)′. Write σ as (Y,{right arrow over (r)}) and define

{right arrow over (w)}={right arrow over (m)}+{right arrow over (r)}·T.

If σ is a valid signature there is

$Y = {\frac{{\overset{->}{w}}^{T} \cdot \overset{->}{x}}{x_{n + 1} + w_{n}^{i*}}{_{2}.}}$

If {right arrow over (w)}∉ Rowspace(U^(i)*) one can find out

$\frac{x_{n}_{2}}{x_{n + 1} + w_{n}^{i*}}$

by Gauss Elimination. If {right arrow over (w)}∈ Rowspace(U^(i)*),abort.

For case II of—Breaking Assumption 2, when {right arrow over (w)}∈Rowspace(U^(i)*): Define {right arrow over (u)}₁ ^(i), . . . , {rightarrow over (u)}_(n−1) ^(i) s.t.

U ^(i) =[{right arrow over (u)} ₁ _(i) | . . . |{right arrow over (u)}_(n−1) ^(i)]^(T)

In this case, the simulator can find out one of t_(j)'s, given {rightarrow over (x)}

₁,{right arrow over (x)}′

₁,{right arrow over (x)}

₂,{right arrow over (x)}′

₂ for random {right arrow over (x)},{right arrow over (x)}′. As,

${\left( {\overset{->}{r} - {\sum\limits_{k = 1}^{n - 1}{\lambda_{k}{\overset{->}{r}}_{k}^{\prime \; i*}}}} \right) \cdot T} = {- {\left( {\overset{->}{m} - {\sum\limits_{k = 1}^{n - 1}{\lambda_{k}{\overset{->}{m}}_{k}^{i*}}}} \right).}}$

This is essentially breaking a variant of discrete log problem in G₁ andG₂, using this solver can again break Assumption 2.

With respect to Case III—Breaking Assumption 3, in this case theadversary forges with a different file identifier, or id ∉[w_(n) ¹, . .. , w_(n) ^(t)]. In this case

chooses {right arrow over (r)},{right arrow over (r)}′, on its own,takes x_(n+1)

₁ from the problem instance, and releases (gk,{right arrow over (x)}

₁,{right arrow over (x)}′

₂, x_(n+1)

₁) as a public key. Using {right arrow over (x)},{right arrow over (x)}′and the problem instance of Assumption 3, signing is straightforward.Also, having a valid forgery where id ∉[w_(n) ¹, . . . , w_(n) ^(t)],one can easily break Assumption 3.

With respect to generic security of the assumptions, a lower bound isprovided on the computational complexity of the assumptions in thegeneric group model. The original model is extended to account formultiple groups and bilinearlity. In the general bilinear group model,the elements of G₁, G₂ and G_(T) are encoded as arbitrary uniquestrings, whereby no information other than equality can be directlytested by the adversary. The adversary performs operations on groupelements by interacting with various oracles. The adversary has accessto the following oracles:

-   -   three oracles for the group operation in each of the three        groups G₁, G₂ and G_(T),    -   two oracles for the homomorphism ψ:G₁→G₂ and its inverse ψ⁻¹ and    -   one oracle for the bilinear pairing e:G₁×G₂→G_(T).

This model actually gives more power to the adversary in bilinear groupswhere ψ or ψ⁻¹ cannot be computed efficiently. To simulate the workingof the oracles, the encodings of the elements of G₁,G₂,G_(T) are modeledusing injective functions ζ₁,ζ₂,ζ_(T):

_(p)→{0,1}^([log) ² ^(p)], where p is the group order. Internally, thesimulator represents the elements of G₁,G₂,G_(T) not as themselves butas their discrete logarithms relative to some arbitrary generatorsg₁,g₂,g_(T). The functions ζ₁,ζ₂,ζ_(T), map a,b,c∈

_(p) to the external string representationsζ₁(a),ζ₂(b),ζ_(T)(c)∈{0,1}^(log) ² ^(p]) of the elements g₁ ^(a)∈G₁,g₂^(b)∈G₂,g_(T) ^(c)∈G_(T). The adversary knows |G₁|=|G₂|=|G_(T)|=p andcommunicates with the oracles using the string representation of thegroup elements exclusively.

Theorem 1: Suppose

is an algorithm that breaks Assumption 3 in generic bilinear groups oforder p with k∈

(polynomial in terms of the security paramter λ), making at most qoracle queries for the group operations in G₁,G₂,G_(T), thehomomorphisms ψ and ψ⁻¹, and the bilinear pairing e, all countedtogether. Suppose also that the integers x,w¹, . . . , w^(k) ∈

_(p) and the encoding functions ζ₁,ζ₂,ζ_(T) are chosen at random. Then,the probability ε, that

on input

$\left( {p,{\zeta_{1}(x)},{\left( {w^{1},{\zeta_{2}\left( \frac{1}{x + w^{1}} \right)}} \right)\mspace{14mu} \ldots}\mspace{14mu},\left( {w^{k},{\zeta_{2}\left( \frac{1}{x + w^{k}} \right)}} \right)} \right)$

outputs

$\left( {w,{\zeta_{2}\left( \frac{1}{x + w} \right)}} \right)$

with w∈

_(p)\{w₁, . . . , w_(k)},

$\varepsilon = {\Pr {\quad\left\lbrack {{^{G}\left( {p,{\zeta_{1}(x)},{\left( {w^{1},{\zeta_{2}\left( \frac{1}{x + w^{1}} \right)}} \right)\mspace{14mu} \ldots}\mspace{14mu},\left( {w^{k},{\zeta_{2}\left( \frac{1}{x + w^{k}} \right)}} \right)} \right)} = \left( {w,{\zeta_{2}\left( \frac{1}{x + w} \right)}} \right)} \right\rbrack}}$

is bounded as

$\varepsilon \leq {\frac{2\left( {q + k + 1} \right)^{2}\left( {k + 1} \right)}{p}.}$

By way of proof, consider an algorithm

that plays the following game with

. Initially

picks w¹, . . . , w^(k)∈_(R)

_(p) at random.

also maintains three lists of pairs L₁={(F_(1,i), ζ_(1,i)):i=1, . . . ,τ₁}, L₂={(F_(2,i),ζ_(2,i)):i=1, . . . , τ₂} andL_(T)={(F_(T,i),ζ_(T,i)):i=1, . . . , τ_(T)}, such that at step T in thegame (after

has made τ many oracle queries), there is τ₁+τ₂+τ_(T)=τ+k+1. HereF_(1,i) and F_(2,i) are linear polynomials in

${{\mathbb{Z}}_{p}\left\lbrack {X,\frac{1}{X + w^{1}},\ldots \mspace{14mu},\frac{1}{x + w^{k}}} \right\rbrack}.$

F_(T,i)'s are quadratic polynomials in

${{\mathbb{Z}}_{p}\left\lbrack {X,\frac{1}{X + w^{1}},\ldots \mspace{14mu},\frac{1}{x + w^{k}}} \right\rbrack}.$

The entries are ζ_(1,i),ζ_(2,i),ζ_(T,i) are the strings given toalgorithm

by

. At step τ=0, the lists are initialized by setting τ₁=1, τ₂=k andτ_(T)=0, and assigning

${F_{1,1} = x},{F_{2,1} = \frac{1}{X + w^{1}}},\ldots \mspace{14mu},{F_{2,k} = {\frac{1}{X + w^{k}}.}}$

The strings ζ_(1,1), ζ_(2,1), . . . , ζ_(2,k) are initialized todistinct random strings.

Assume that

only makes oracle queries on strings previously obtained from

. Hence, given any query string ζ_(1,i), it is easy for

to determine its index i into the table L₁, and from there thecorresponding expression F_(1,i). If the same string appears multipletimes in the list L₁ the ties are broken arbitrarily. (The same appliesto L₂ and L_(T).) To start the game,

provides

the string ζ_(1,1) and following k-many 2-tuples:

(w ¹, ζ_(2,1)), . . . , (w ^(k), ζ_(2,k))

that correspond to the Assumption 3 challenge instance.

answers

s queries as follows:

Group Operations:

may request a group operation in G₁ as a multiplication or as adivision. Before answering the query the simulator

starts by incrementing the τ₁ counter by one.

gives

two operands ζ_(1,i),ζ_(1,j) with 1≦i,j<τ₁, and a multiply/divideselection bit. To respond,

creates a polynomial F_(1,τ) ₁

$\in {{\mathbb{Z}}_{p}\left\lbrack {X,\frac{1}{X + w^{1}},\ldots \mspace{14mu},\frac{1}{x + w^{k}}} \right\rbrack}$

which it sets to F_(1,τ) ₁ ←F_(1,i)+F_(1,j) for a multiplication or toF_(1,τ) ₁ ←F_(1,i)−F_(1,j) for a division. If the result is identical toan earlier polynomial F_(1,l) for some l<τ₁, the simulator

duplicates the string representation ζ_(1,τ) ₁ ←ζ_(1,l); otherwise, itlets ζ_(1,τ) ₁ be a fresh random string in {0,1}^([log) ² ^(p]) distinctfrom ζ_(1,1), . . . , ζ_(1,τ) ₁ ⁻¹. The simulator appends the pair(F_(1,τ) ₁ , ζ_(1,τ) ₁ ) to the list L₁ and gives the string ζ_(1,τ) ₁to

. Group operation queries in G₂ and G_(T) are answered in a similarmanner, based on the lists L₂ and L_(T) respectively.

Homomorphism: To answer an inverse homomorphism query ψ⁻¹:G₂→G₁, thesimulator starts by incrementing the τ₁ counter by one.

gives to

a string operand ζ_(2,i) with 1≦i<τ₂. To respond,

makes a copy of the associated L₂ polynomial in L₁: it sets F_(1,τ) ₁←F_(2,i). If L₁ already contained a copy of the polynomial, i.e. F_(1,τ)₁ =F_(1,l) for some l<τ₁, the simulator

duplicates the string representation ζ_(1,τ) ₁ ←ζ_(1,l); otherwise, itlets ζ_(1,τ) ₁ be a fresh random string in {0,1}^([log) ² ^(p]) distinctfrom ζ_(1,1), . . . , ζ_(1,τ) ₁ ⁻¹. The simulator appends the pair(F_(1,τ) ₁ ,ζ_(1τ) ₁ ) to the list L₁ and gives the string ζ_(1,τ) ₁ to

The homomorphism queries ψ:G₁→G₂ are also answered similarly.

Pairing: A pairing query comprise two operands ζ_(1,i) and ζ_(2,i) with1≦i≦τ ₁ and 1≦j≦τ ₂ for the current values of τ₁ and τ₂. Upon receipt ofsuch a query from hcalA, the counter τ_(T) is incremented. The simulatorthen computes the product of the polynomials F_(T,τ) _(T)←F_(1,i)·F_(2,j). If L_(T) already contained a copy of the polynomial,i.e. F_(T,τ) ₇ =F_(T,l) for some l<τ_(T), the simulator

duplicates the string representation ζ_(T,τ) _(T) ←ζ_(T,l); otherwise,it lets ζ_(T,τ) _(T) be a fresh random string in {0,1}^([log) ² ^(p])distinct from ζ_(T,1), . . . , ζ_(T,τ) _(T) ⁻¹. The simulator appendsthe pair (F_(T,τ) _(T) ,ζ_(T,τ) _(T) ) to the list L_(T) and gives thestring ζ_(T,τ) _(T) to

As can be seen, the polynomials in the lists L₁ and L₂ are of degree atmost one in

${{\mathbb{Z}}_{p}\left\lbrack {X,\frac{1}{x + w^{1}},\ldots \mspace{14mu},\frac{1}{X + w^{k}}} \right\rbrack}.$

Also the polynomials in the list L_(T) are of degree at most two in

${{\mathbb{Z}}_{p}\left\lbrack {X,\frac{1}{x + w^{1}},\ldots \mspace{14mu},\frac{1}{X + w^{k}}} \right\rbrack}.$

Observe that the following invariant is preserved throughout the game,where T is the total number of oracle queries that have been answered atany given time:

τ₁+τ₂+τ_(T) =τk+1.   (2)

When

terminates it returns a pair (w,ζ_(2,l)) where w∈

_(p)\{w¹, . . . , w^(k)} and 1≦l≦τ₂. From ζ_(2,l) and the L₂,

finds the corresponding polynomial F_(2,l).

then picks a random x∈

_(p) and evaluates the polynomials F_(1,i),F_(2,j),F_(T,k) for 1≦i≦τ₁,1≦j≦τ₂, 1≦k≦τ_(T) including F_(2,l)x). For

s answer to be correct in the simulation framework, there needs to be:

$\begin{matrix}{{{F_{2,}(X)} = \frac{1}{X + w}},} & (3)\end{matrix}$

for X=x. As, F_(2,l) is linear in

${\mathbb{Z}}_{p}\left\lbrack {X,\frac{1}{x + w^{1}},\ldots \mspace{14mu},\frac{1}{X + w^{k}}} \right\rbrack$

and w∉{w₁, . . . , w_(k)} equation (3) is never an identity. In fact,equation (3) can be reduced to an equation in

_(p) [X] of degree at most k+2. Hence equation (3) holds withprobability at most

$\frac{k + 2}{p}.$

Note that the simulation fails when two non-identical polynomials ineither of the three lists L₁, L₂ or L_(T) evaluates to same value in

_(p) because of the assignment Xζx. Observe that

-   -   For α∈{1,2},1≦i,j≦τ_(α),F_(α,i)≠F_(α,j), the equation        F_(α,i)(X)=F_(α,j)(X) can be reduced to an equation in        _(p) [X] of degree at most k+1.    -   For 1≦i,j≦τ_(T),F_(T,i)≠F_(T,j), the equation        F_(T,i)(X)=F_(T,j)(X) can be reduced to an equation in        _(p)[X] of degree at most 2(k+1). Now summing over the cases        where        wins,

$\varepsilon \leq {{\begin{pmatrix}\tau_{1} \\2\end{pmatrix}\frac{k + 1}{p}} + {\begin{pmatrix}\tau_{2} \\2\end{pmatrix}\frac{k + 1}{p}} + {\begin{pmatrix}\tau_{T} \\2\end{pmatrix}\frac{2\left( {k + 1} \right)}{p}} + {\frac{k + 2}{p}.}}$

From equation (2) it is known that the game ends with τ₁+τ₂+τ_(T)=q+k+1.Hence,

$\varepsilon \leq {\frac{2\left( {q + k + 1} \right)^{2}\left( {k + 1} \right)}{p}.}$

Theorem 2: Suppose

is an algorithm, that breaks Assumption 2 in generic bilinear groups oforder p, with k, n∈

(polynomial in terms of the security parameter λ), making a t most qoracle queries for the group operations in G₁,G₂,G_(T), the isomorphismsψ and ψ⁻¹, and the bilinear pairing e, counted together. The integersw_(j) ^(i),x_(j′)∈

_(p), i=1 . . . t,j=1 . . . n,j′=1 . . . n+1, as well the encodingfunctions ζ₁,ζ₂,ζ_(T) are chosen at random. Then the probability ε, that

on input

$\begin{matrix}\left( {p,{\zeta_{1}\left( x_{1} \right)},\ldots \mspace{14mu},{\zeta_{1}\left( x_{n + 1} \right)}} \right) \\\left( {w_{1}^{1},\ldots \mspace{14mu},w_{n - 1}^{1},w_{n}^{1},{\zeta_{2}\left( \frac{x_{1} + {w_{1}^{1}x_{n}}}{x_{n + 1} + w_{n}^{1}} \right)},\ldots \mspace{14mu},{\zeta_{2}\left( \frac{x_{n - 1} + {w_{n - 1}^{1}x_{n}}}{x_{n + 1} + w_{n}^{1}} \right)}} \right) \\{\mspace{56mu} \vdots} \\\left( {w_{1}^{t},\ldots \mspace{14mu},w_{n - 1}^{t},w_{n}^{t},{\zeta_{2}\left( \frac{x_{1} + {w_{1}^{t}x_{n}}}{x_{n + 1} + w_{n}^{t}} \right)},\ldots \mspace{14mu},{\zeta_{2}\left( \frac{x_{n - 1} + {w_{n - 1}^{t}x_{n}}}{x_{n + 1} + w_{n}^{t}} \right)}} \right)\end{matrix}$

outputs

$\zeta_{2}\left( \frac{x_{n}}{x_{n + 1} + w_{n}^{i}} \right)$

for some i=1, . . . , t; can be bounded as,

$\varepsilon \leq {\frac{\left( {t + 1} \right)\left( {\tau + {\left( {n - 1} \right)t} + n + 1} \right)\left( {\tau + {n\; t} + n + 1} \right)}{p}.}$

By way of proof, proceed as in the previous theorem. However, note thatF_(1,i) and F_(2,i) are quadratic multinomials in

${{\mathbb{Z}}_{p}\left\lbrack {X_{1},\ldots \mspace{14mu},X_{n + 1},\frac{1}{X_{n + 1} + w_{n}^{1}},\ldots \mspace{14mu},\frac{1}{X_{n + 1} + w_{n}^{t}}} \right\rbrack};$

(note, quadratic terms are only of the type type

$\frac{X_{j}}{X_{n + 1} + w_{n}^{i^{\prime}}}$

for j=1, . . . , n; i′=1, . . . , t. Moreover, F_(1,i) and F_(2,i)'s cannever be of the form

$\frac{X_{n}}{X_{n + 1} + w_{n}^{i^{\prime}}}$

for any i′=1, . . . , t. F_(T,i)'s are multinomials of degree four in

${{\mathbb{Z}}_{p}\left\lbrack {X_{1},\ldots \mspace{14mu},X_{n + 1},\frac{1}{X_{n + 1} + w_{n}^{1}},\ldots \mspace{14mu},\frac{1}{X_{n + 1} + w_{n}^{t}}} \right\rbrack};$

(note that cubic terms are of the form

$\frac{X_{j_{1}}X_{j_{2}}}{X_{n + 1} + w_{n}^{i^{\prime}}}\mspace{14mu} {or}\mspace{14mu} \frac{X_{j}}{\left( {X_{n + 1} + w_{n}^{i_{1}^{\prime}}} \right)\left( {X_{n + 1} + w_{n}^{i_{2}^{\prime}}} \right)}$

and degree four terms are of the form

$\left. \frac{X_{j_{1}}X_{j_{2}}}{\left( {X_{n + 1} + w_{n}^{i_{1}^{\prime}}} \right)\left( {X_{n + 1} + w_{n}^{i_{2}^{\prime}}} \right)} \right)$

for j,j₁,j₂=1, . . . , n; i′,i′₁,i′₂=1, . . . , t.) In the end theadversary will succeed if there exists an i∈[1, . . . , τ₁] such that arandom assignment of X_(j)'s satisfy the equation

$\begin{matrix}{{F_{2,i} = \frac{X_{n}}{X_{n + 1} + w_{n}^{i^{\prime}}}},} & (4)\end{matrix}$

for some i′=1, . . . , t. For any fixed values of X₁, . . . ,X_(n−1),X_(n+1), equation (4) is either an identity or a linear equationin X_(n). When it is a linear equation, equation (4) holds only withprobability 1/p. The coefficient of X_(n) is actually a linearpolynomial in

${{\mathbb{Z}}_{p}\left\lbrack {\frac{1}{X_{n + 1} + w_{n}^{1}},\ldots \mspace{14mu},\frac{1}{X_{n + 1} + w_{n}^{t}}} \right\rbrack},$

or equivalently a degree t polynomial in

_(p)[X_(n)]. Hence, a random assignment of X₁, . . . , X_(n+1) equation(4) holds at most with probability

${\frac{t}{p} + \frac{1}{p}} = {\frac{t + 1}{p}.}$

Considering the fact, there are all together tτ₂ values of (i, i′); theadversary can succeed only with probability

$\frac{{t\left( {t + 1} \right)}\tau_{2}}{p}.$

The adversary also wins if the random assignment of X_(i′)'s causes acollision within the values of F_(1,i)'s (also for F_(2,i)'s andF_(T,i)'s). Following the description above, for i₁≠i₂ there is:

F_(1,i) ₁ =F_(1,i) ₂ ,

with probability at most

$\frac{t + 1}{p}.$

Hence, collision among F_(1,i) values can occur with probability at most

$\begin{pmatrix}\tau_{1} \\2\end{pmatrix}{\frac{t + 1}{p}.}$

Similarly, collision among F_(2,i) values can occur with probability atmost

$\begin{pmatrix}\tau_{2} \\2\end{pmatrix}{\frac{t + 1}{p}.}$

In a similar line of argument, collision among F_(T,i) values occur withprobability at most

$\begin{pmatrix}\tau_{T} \\2\end{pmatrix}{\frac{2\left( {t + 1} \right)}{p}.}$

Also, τ₁+τ₂+τ_(T)=τ(n−1)t+(n+1). Hence,

$\begin{matrix}{\varepsilon \leq {\frac{{t\left( {t + 1} \right)}\tau_{2}}{p} + {\begin{pmatrix}\tau_{1} \\2\end{pmatrix}\frac{t + 1}{p}} + {\begin{pmatrix}\tau_{2} \\2\end{pmatrix}\frac{t + 1}{p}} + {\begin{pmatrix}\tau_{T} \\2\end{pmatrix}\frac{2\left( {t + 1} \right)}{p}}}} \\{\leq \frac{\left( {t + 1} \right)\left( {\tau + {\left( {n - 1} \right)t} + n + 1} \right)\left( {\tau + {n\; t} + n + 1} \right)}{p}}\end{matrix}$

Described further is another standard model scheme, namely a homomorphicnetwork coding signature scheme in the stronger security model. Thisscheme guarantees a stronger security. With this stronger notion ofsecurity, while making a query to the signing oracle, the adversary canchoose the file identifier on its own. However, this scheme is based ona stronger oracle-based hardness assumption, and is based on Groth-SahaiProof Systems with homomorphic property.

For Keygen(λ,n):

-   Define gk=(p,G₁,G₂,G_(T),e,    ₁,    ₂). G₁, G₂ are cyclic groups of prime order p generated by    ₁,    ₂ respectively. e is a bilinear pairing G₁×G₂→G_(T). Also define map    F:G₁ ²×G₂ ²→G_(T) ⁴ as follows.

${F\left( {\left( {X_{1},X_{2}} \right),\left( {Y_{1},Y_{2}} \right)} \right)} = {\begin{pmatrix}{e\left( {X_{1},Y_{1}} \right)} & {e\left( {X_{1},Y_{2}} \right)} \\{e\left( {X_{2},Y_{1}} \right)} & {e\left( {X_{2},Y_{2}} \right)}\end{pmatrix}.}$

-   Choose α₁,α₂,t₁,t₂←    _(p)* at random. Define,

{right arrow over (u)}=(u ₁ ,u ₂)^(T), where u ₁=(

₁,α₁

₁),u ₂ =t ₁ u ₁,

{right arrow over (v)}=(v ₁ ,v ₂)^(T), where v ₁=(

₂,α₂

₂),v ₂ =t ₂ v ₁.

-   Define the maps l′₁:Z_(p)→G₁ ²and l₂:G₂→G₂ ² as follows.

l′ ₁(z)=zu, where u=u ₂+(

,

₁) amd t₂(

)=(

).

-   Choose {right arrow over (x)}=(x₁, . . . , x_(n+1))^(T),{right arrow    over (r)}=(r₁, . . . , r_(n+1))^(T)←    _(p) ^(n+1) at random, Define

{right arrow over (c)}=−l′ ₁({right arrow over (x)})+{right arrow over(r)}u ₁, where l′ ₁({right arrow over (x)})=(l′ ₁(x ₁), . . . , l ₁(x_(n+1)))^(T).

-   Output pk=(gk,{right arrow over (u)},{right arrow over (v)},{right    arrow over (c)}) as public key and sk=({right arrow over (x)},{right    arrow over (r)}) as secret key.

For Sign(pk,sk,id,{right arrow over (m)}=(m₁, . . . , m_(n))^(T)):

-   Given a message {right arrow over (m)}∈    _(p) ^(n) and file identifier id∈    _(p)n, solve for, Y∈G₂, s.t.

$Y = {\frac{\left( {{x_{1}m_{1}} + \ldots + {x_{n}m_{n}}} \right)_{2}}{{id} + x_{n + 1}}.}$

In other words,

idY−{right arrow over (x)} ^(T) ·{right arrow over (M)}−{right arrowover (x)} ^(T) ·┌Y=0.   (5)

where {right arrow over (M)}=(m₁

₂, . . . , m_(n)

₂,

)^(T)∈G₂ ^(n+1) and ┌=(0, . . . , 0, −1)^(T)∈Z_(p) ^(n+1).

-   Choose S←Mat_(1>2)(    _(p)), T←Mat_(2×1)(    _(p)) randomly and evaluate the following.

d=t ₂(Y)+S{right arrow over (v)}.

π={right arrow over (r)} ^(T) t ₂({right arrow over (M)})+{right arrowover (r)} ^(T) ┌S{right arrow over (v)}−T ^(T) {right arrow over (v)}.

{right arrow over (Θ)}=S ^(T) l ₁′(id)−S ^(T)┌^(T) l ₁′({right arrowover (x)})+Tu ₁

Output σ=(d,π,{right arrow over (Θ)}) as signature of {right arrow over(m)} with file identifier id.

For verify(pk,id,{right arrow over (m)}=(m₁, . . . , m_(n))^(T),σ=(d,π,{right arrow over (Θ)}):

-   Define {right arrow over (M)}=(m₁    ₂, . . . , m_(n)    ₂,    )^(T), ┌=(0, . . . , 0, −1)^(T)∈Z_(p) ^(n+1) and output Accept if    the following equation holds, otherwise Reject.

F(t ₁′(id),d)+{right arrow over (c)}·(t ₂({right arrow over(M)})+┌d)=F(u ₁,π)+{right arrow over (Θ)}·{right arrow over (v)},   (6)

For Combine(pk,{(β_(i),σ_(i)=(d _(i),π_(i),{right arrow over(Θ)}_(i)))}_(i=1) ^(l)):

-   Output σ=(Σ_(i=1) ^(l)β_(i)d_(i),Σ_(i=1) ^(l)β_(i)π_(i),Σ_(i=1)    ^(l)β_(i){right arrow over (Θ_(i))}).

The above mentioned signature scheme a Groth-Sahai Proof System, where{right arrow over (c)} and d are commitments for {right arrow over (x)}and Y. Whereas π and {right arrow over (Θ)} are the proofs that thecommitted values satisfy Equation (5), Equation (6), is the same as theverification equation of Groth-Sahai proofs. Hence, a correctlygenerated signature is always accepted by the Verify procedure. Also,the Combine procedure always generates correct signatures, as Equation(1) is linear in {right arrow over (M)}.

With respect to security and a complexity assumption, there are groups(G₁, G₂, G_(T)) of prime order p, for which a bilinear pairinge:G₁×G₂→G_(T) is computable. For any (n+1)-dimension vector {right arrowover (x)}=(x₁, . . . , x_(n+1))^(T) over Z_(p),

₂∈G₂, define an oracle

(·,·) which on input id∈Z_(p) and an n-dimensional vector {right arrowover (m)}=(m₁, . . . , m_(n))^(T) over Z_(p) returns

$\frac{\left( {{x_{1}m_{1}} + \ldots + {x_{n}m_{n}}} \right)_{2}}{{id} + x_{n + 1}}$

Assumption 4. For any n∈

(polynomial in terms of the security parameter λ), let {right arrow over(x)} be a random vector of dimension (n+1) over

_(p) , and

₁,

₂ be the generators of the groups G₁, G₂. Given

₁,

3 ₂,G₁,G₂,G_(T),e,p,{right arrow over (x)}

₁ and oracle access to

(·,·) it is infeasible to output id∈Z_(p), an n-dimensional vector{right arrow over (m)}=(m₁, . . . , m_(n))^(T) over

_(p) and Y∈G₂s.t.

-   -   1. {right arrow over (m)} can not be expressed as linear        combination of the vectors queried to the oracle        (·,·) with file identifier id as first argument and,

$\begin{matrix}{Y = {\frac{\left( {{x_{1}m_{1}} + \ldots + {x_{n}m_{n}}} \right)_{2}}{{id} + x_{n + 1}}.}} & 2.\end{matrix}$

Suppose there exists an adversary

that breaks the security (as defined above) with advantage ε(non-negligible in terms of the security parameter λ). Constructed is analgorithm

with black box access to

, which breaks Assumption 1 with advantage ε.

-   Algorithm    : Input:    ₁,    ₂,G₁,G₂,G_(T),e,p,{right arrow over (x)}    ₁ and oracle access to    (·).-   Output: {right arrow over (m)} and Y satisfying condition 1 and 2 in    Assumption 4.-   Algorithm    acts as challenger in the security game as depicted above. It will    simulate Keygen and Sign such that    can not distinguish between simulated output and original Keygen,    Sign output.    will use the forged signature from    to output ({right arrow over (m)},Y). Below are the SimKeygen and    SimSign routines used by algorithm    .

SimKeygen(λ,n)

Proceed as Keygen(λ,n), except choosing {right arrow over (x)},{rightarrow over (x)}′ on its own. Instead, evaluate t₁′({right arrow over(x)}) as follows.

$\begin{matrix}{{\iota_{1}^{\prime}\left( \overset{->}{x} \right)} = {\overset{->}{x}u}} \\{= {\overset{->}{x}\left( {u_{2} + \left( {,_{1}} \right)} \right)}} \\{= {\overset{->}{x}\left( {{t_{1}u_{1}} + \left( {,_{1}} \right)} \right)}} \\{= {\overset{->}{x}\left( {{t_{1}\left( {_{1},\alpha_{1},_{1}} \right)} + \left( {,_{1}} \right)} \right)}} \\{= {\overset{->}{x}{{_{1}\left( {t_{1},\left( {{\alpha_{1}t_{1}} + 1} \right)} \right)}.}}}\end{matrix}$

Hence public key pk=(gk,{right arrow over (u)},{right arrow over(v)},{right arrow over (c)}) can be output (with gk=(e, G₁,G₂,G_(T),

₁,

₂)). As a secret key, instead of ({right arrow over (x)},{right arrowover (r)}) there is ({right arrow over (x)}

₁,{right arrow over (r)}).

SimSign(id,{right arrow over (m)}=(m ₁ , . . . , m _(n))^(T))

As {right arrow over (x)} is not known, Y cannot really be solved.However, the oracle can, e.g., querying

(id,{right arrow over (m)}) gets back the required Y. Afterwards, usethe Sign procedure to generate a valid signature.

If A returns a valid forgery, from the commitment d of Y may beextracted using trapdoor α₂ and break Assumption 4.

As can be seen, there is described homomorphic network signatureschemes, provably secure in standard model. The schemes areprobabilistic and based on prime order bilinear pairings. One scheme isbased on a natural homomorphic hardness assumption on bilinear pairinggroups. A second scheme which is secure in a stronger security model,with security reduced to an oracle-based hardness assumption. Note thatthese schemes do not need a CompatibilityCheck procedure.

Example Operating Environment

FIG. 4 illustrates an example of a suitable computing and networkingenvironment 400 into which the examples and implementations of any ofFIGS. 1-3 may be implemented, for example. The computing systemenvironment 400 is only one example of a suitable computing environmentand is not intended to suggest any limitation as to the scope of use orfunctionality of the invention. Neither should the computing environment400 be interpreted as having any dependency or requirement relating toany one or combination of components illustrated in the exampleoperating environment 400.

The invention is operational with numerous other general purpose orspecial purpose computing system environments or configurations.Examples of well known computing systems, environments, and/orconfigurations that may be suitable for use with the invention include,but are not limited to: personal computers, server computers, hand-heldor laptop devices, tablet devices, multiprocessor systems,microprocessor-based systems, set top boxes, programmable consumerelectronics, network PCs, minicomputers, mainframe computers,distributed computing environments that include any of the above systemsor devices, and the like.

The invention may be described in the general context ofcomputer-executable instructions, such as program modules, beingexecuted by a computer. Generally, program modules include routines,programs, objects, components, data structures, and so forth, whichperform particular tasks or implement particular abstract data types.The invention may also be practiced in distributed computingenvironments where tasks are performed by remote processing devices thatare linked through a communications network. In a distributed computingenvironment, program modules may be located in local and/or remotecomputer storage media including memory storage devices.

With reference to FIG. 4, an example system for implementing variousaspects of the invention may include a general purpose computing devicein the form of a computer 410. Components of the computer 410 mayinclude, but are not limited to, a processing unit 420, a system memory430, and a system bus 421 that couples various system componentsincluding the system memory to the processing unit 420. The system bus421 may be any of several types of bus structures including a memory busor memory controller, a peripheral bus, and a local bus using any of avariety of bus architectures. By way of example, and not limitation,such architectures include Industry Standard Architecture (ISA) bus,Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, VideoElectronics Standards Association (VESA) local bus, and PeripheralComponent Interconnect (PCI) bus also known as Mezzanine bus.

The computer 410 typically includes a variety of computer-readablemedia. Computer-readable media can be any available media that can beaccessed by the computer 410 and includes both volatile and nonvolatilemedia, and removable and non-removable media. By way of example, and notlimitation, computer-readable media may comprise computer storage mediaand communication media. Computer storage media includes volatile andnonvolatile, removable and non-removable media implemented in any methodor technology for storage of information such as computer-readableinstructions, data structures, program modules or other data. Computerstorage media includes, but is not limited to, RAM, ROM, EEPROM, flashmemory or other memory technology, CD-ROM, digital versatile disks (DVD)or other optical disk storage, magnetic cassettes, magnetic tape,magnetic disk storage or other magnetic storage devices, or any othermedium which can be used to store the desired information and which canaccessed by the computer 410. Communication media typically embodiescomputer-readable instructions, data structures, program modules orother data in a modulated data signal such as a carrier wave or othertransport mechanism and includes any information delivery media. Theterm “modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationmedia includes wired media such as a wired network or direct-wiredconnection, and wireless media such as acoustic, RF, infrared and otherwireless media. Combinations of the any of the above may also beincluded within the scope of computer-readable media.

The system memory 430 includes computer storage media in the form ofvolatile and/or nonvolatile memory such as read only memory (ROM) 431and random access memory (RAM) 432. A basic input/output system 433(BIOS), containing the basic routines that help to transfer informationbetween elements within computer 410, such as during start-up, istypically stored in ROM 431. RAM 432 typically contains data and/orprogram modules that are immediately accessible to and/or presentlybeing operated on by processing unit 420. By way of example, and notlimitation, FIG. 4 illustrates operating system 434, applicationprograms 435, other program modules 436 and program data 437.

The computer 410 may also include other removable/non-removable,volatile/nonvolatile computer storage media. By way of example only,FIG. 4 illustrates a hard disk drive 441 that reads from or writes tonon-removable, nonvolatile magnetic media, a magnetic disk drive 451that reads from or writes to a removable, nonvolatile magnetic disk 452,and an optical disk drive 455 that reads from or writes to a removable,nonvolatile optical disk 456 such as a CD ROM or other optical media.Other removable/non-removable, volatile/nonvolatile computer storagemedia that can be used in the example operating environment include, butare not limited to, magnetic tape cassettes, flash memory cards, digitalversatile disks, digital video tape, solid state RAM, solid state ROM,and the like. The hard disk drive 441 is typically connected to thesystem bus 421 through a non-removable memory interface such asinterface 440, and magnetic disk drive 451 and optical disk drive 455are typically connected to the system bus 421 by a removable memoryinterface, such as interface 450.

The drives and their associated computer storage media, described aboveand illustrated in FIG. 4, provide storage of computer-readableinstructions, data structures, program modules and other data for thecomputer 410. In FIG. 4, for example, hard disk drive 441 is illustratedas storing operating system 444, application programs 445, other programmodules 446 and program data 447. Note that these components can eitherbe the same as or different from operating system 434, applicationprograms 435, other program modules 436, and program data 437. Operatingsystem 444, application programs 445, other program modules 446, andprogram data 447 are given different numbers herein to illustrate that,at a minimum, they are different copies. A user may enter commands andinformation into the computer 410 through input devices such as atablet, or electronic digitizer, 464, a microphone 463, a keyboard 462and pointing device 461, commonly referred to as mouse, trackball ortouch pad. Other input devices not shown in FIG. 4 may include ajoystick, game pad, satellite dish, scanner, or the like. These andother input devices are often connected to the processing unit 420through a user input interface 460 that is coupled to the system bus,but may be connected by other interface and bus structures, such as aparallel port, game port or a universal serial bus (USB). A monitor 491or other type of display device is also connected to the system bus 421via an interface, such as a video interface 490. The monitor 491 mayalso be integrated with a touch-screen panel or the like. Note that themonitor and/or touch screen panel can be physically coupled to a housingin which the computing device 410 is incorporated, such as in atablet-type personal computer. In addition, computers such as thecomputing device 410 may also include other peripheral output devicessuch as speakers 495 and printer 496, which may be connected through anoutput peripheral interface 494 or the like.

The computer 410 may operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computer480. The remote computer 480 may be a personal computer, a server, arouter, a network PC, a peer device or other common network node, andtypically includes many or all of the elements described above relativeto the computer 410, although only a memory storage device 481 has beenillustrated in FIG. 4. The logical connections depicted in FIG. 4include one or more local area networks (LAN) 471 and one or more widearea networks (WAN) 473, but may also include other networks. Suchnetworking environments are commonplace in offices, enterprise-widecomputer networks, intranets and the Internet.

When used in a LAN networking environment, the computer 410 is connectedto the LAN 471 through a network interface or adapter 470. When used ina WAN networking environment, the computer 410 typically includes amodem 472 or other means for establishing communications over the WAN473, such as the Internet. The modem 472, which may be internal orexternal, may be connected to the system bus 421 via the user inputinterface 460 or other appropriate mechanism. A wireless networkingcomponent 474 such as comprising an interface and antenna may be coupledthrough a suitable device such as an access point or peer computer to aWAN or LAN. In a networked environment, program modules depictedrelative to the computer 410, or portions thereof, may be stored in theremote memory storage device. By way of example, and not limitation,FIG. 4 illustrates remote application programs 485 as residing on memorydevice 481. It may be appreciated that the network connections shown areexamples and other means of establishing a communications link betweenthe computers may be used.

An auxiliary subsystem 499 (e.g., for auxiliary display of content) maybe connected via the user interface 460 to allow data such as programcontent, system status and event notifications to be provided to theuser, even if the main portions of the computer system are in a lowpower state. The auxiliary subsystem 499 may be connected to the modem472 and/or network interface 470 to allow communication between thesesystems while the main processing unit 420 is in a low power state.

Conclusion

While the invention is susceptible to various modifications andalternative constructions, certain illustrated embodiments thereof areshown in the drawings and have been described above in detail. It shouldbe understood, however, that there is no intention to limit theinvention to the specific forms disclosed, but on the contrary, theintention is to cover all modifications, alternative constructions, andequivalents falling within the spirit and scope of the invention.

What is claimed is:
 1. In a computing environment, a method performed atleast in part on at least one processor comprising, securelydistributing data using a homomorphic signature scheme, includingsigning sets of data using the homomorphic signature scheme, in whichthe homomorphic signature scheme based upon binary pairing with standardprime order groups.
 2. The method of claim 1 further comprising,providing proof data independent of a random oracle.
 3. The method ofclaim 1 further comprising providing proof data including providingparameters for verification in a Groth-Sahai proof system.
 4. The methodof claim 1 further comprising providing proof data including providingparameters for verification independent of a Groth-Sahai proof system.5. The method of claim 1 wherein signing the sets of data comprisesdividing a block of data into smaller blocks, and separately signingeach smaller block.
 6. The method of claim 5 wherein distributing thedata comprises sending the smaller blocks to nodes of a network topologyconfigured for network coding combinations of a subset of the smallerblocks.
 7. The method of claim 5 wherein each of the smaller blockscontains information corresponding to a block identifier, and whereinthe homomorphic signature scheme protects against changes to a blockidentifier.
 8. The method of claim 1 further comprising, using an oraclebased hardness assumption over a bilinear group.
 9. The method of claim1, wherein securely distributing the data includes providing publicinformation, wherein the binary pairing with standard prime order groupscomprises prime numbers and points on an elliptic curve used to sign thedata.
 10. A computing device comprising, a processor, and a memorycoupled to the processor, the memory comprising computer-programinstructions executable by the processor, the instructions configured toverify whether a digitally signed set of data that was signed using ahomomorphic signature scheme based upon binary pairing with standardprime order groups is authentic, and if authentic, to use the set ofdata for further processing.
 11. The computing device of claim 10wherein the instructions are further configured to discard the set ofdata if not verified.
 12. The computing device of claim 10 wherein theinstructions to use the set of data for further processing compriseinstructions that when executed combine the set of data with at leastone other set of data in a network coding scheme into a combined set ofdata, sign the combined set of data using the homomorphic signaturescheme, and transmit the combined, signed set of data using adistribution scheme.
 13. The computing device of claim 12, wherein thedistribution scheme comprises a network coding content distributionscheme.
 14. The computing device of claim 12 wherein the binary pairingwith standard prime order groups comprises prime numbers and points onan elliptic curve used to sign the data, and wherein the instructionsfurther provide public information useable for authenticating thecombined, signed set of data.
 15. The computing device of claim 12,wherein the homomorphic signature scheme protects against changes to ablock identifier.
 16. The computing device of claim 10 wherein theinstructions further provide parameters for verification in aGroth-Sahai proof system.
 17. The computing device of claim 10 whereinthe instructions further provide parameters for verification independentof a Groth-Sahai proof system.
 18. The computing device of claim 10wherein the instructions to use the set of data for further processingcomprise instructions that when executed decode the set of data and atleast one other set of data into decoded sets of data, and reassemblethe decoded sets of data into an original data block.
 19. One or morecomputer-readable media having executable instructions comprising:verifying whether a digitally signed set of data that was signed using ahomomorphic signature scheme based upon binary pairing with standardprime order groups is authentic, and if authentic, combining the set ofdata with at least one other set of data in a network coding scheme intoa combined set of data and signing the combined set of data using thehomomorphic signature scheme, and transmitting the combined, signed setof data using a distribution scheme to use the set of data for furtherprocessing.
 20. The one or more computer-readable media of claim 19having further executable instructions comprising, providing proof dataindependent of a random oracle.